b'U.S.   A GENCY   FOR\n\n\n\n D EVELOPMENT\n\n                                                                                                              March 1, 1999\n\n\n\n           MEMORANDUM FOR D-AA/M, Richard C.\n                          Chief Information Officer\n\n\n           FROM:                           Theodore P. Alves\n\n           SUBJECT:\t        Audit of         Progress Implementing a Financial Management System\n                            That Meets Federal Financial Management Improvement Act Requirements\n                            (Audit Report No. A-000-99-003-P)\n\n           The Federal Financial Management Improvement Act of 1996 (PL                  (FFMIA)\n           requires         to determine whether its financial management system meets Federal\n           requirements that are designed to ensure that managers receive reliable information to report\n           financial and performance results and to manage agency operations.\xe2\x80\x99 In December 1997, the\n           Administrator determined that           systems did not meet those federal requirements. The\n           Act also requires         to submit a remediation plan to correct the deficiencies and the\n                    Office of Inspector General (OIG) to report to the Congress if         falls behind\n           remediation plan milestones.\n\n           This report shows that         has made only limited progress improving its systems during\n           the past year. Significant improvements are not achievable until existing systems are replaced\n           or modernized-an effort that is scheduled to be completed in 2001.              progress has\n           also been limited by planning and organizational challenges that continue to threaten its\n           efforts to successfully modernize its systems. The report includes two recommendations\n           which aim to strengthen            planning process and organization.\n\n\n\n\n                       1\n\n                              OMB Circular A-127 and the Chief Financial Officers Act call for agencies to implement a single\n           integrated financial management system, which is a unified set of financial systems and the financial portions of\n           mixed systems (those systems that support both financial and non-financial activities). Working together using\n           standardized information and electronic data exchange, these systems provide the information managers need to (1)\n           carry out their fiduciary responsibilities; (2) deter fraud, waste, and abuse; and (3) relate financial consequences to\n           program performance. Thus, in addition to basic accounting functions, a single integrated financial management\n           system includes            and performance data from supporting systems that perform performance measurement,\n           budget, procurement, payroll, human resource, and other functions. Because                has not implemented a single\n           integrated financial management system, this report refers to              financial management systems.\n\n\n                                                      1300    P ENNSYLVANIA A V E N U E ,\n                                                          W ASHINGTON , D.C.   20523\n\x0c In response to a draft report,        stated that         management and the OIG generally\n agree about the processes, plans, and documentation needed to deploy a financial management\n system that meets federal requirements. The comments also stated that the draft report\n conveys a general tone of non-compliance and gives the impression that the Agency is\n repeating earlier mistakes. Management also believes the report does not acknowledge the\n dilemma it faces trying to balance the risk of an acquisition based on less than a full\n architecture with its goal of having a new core financial system deployed in Washington by\n fiscal year 2000. Management also provided detailed comments on individual report sections.\n Those comments indicate general agreement with the findings and most recommendations.\n However, because the report and recommendations have changed, it is unclear whether\n               has made a decision to implement the report\xe2\x80\x99s recommendations. We will\n continue discussing the recommendations with management.\n\n          properly characterized the tone of the report, which reflects our concerns that past\n mistakes were being repeated. The report points out several parallels with the approach\n          followed in acquiring the New Management System (NMS), a system that did not\n operate effectively. They include the (1) lack of an Agency-wide blueprint before beginning\n development, (2) acquisition of a core financial system in isolation from other financial and\n mixed financial systems, and (3) lack of a comprehensive acquisition strategy supported by\n sufficiently detailed plans. We are encouraged by management\xe2\x80\x99s comments, which indicate\n general agreement to modify the approach.\n\nWe believe              dilemma between completing an architecture and meeting its goal of\n deploying a core financial system by the year 2000 should be resolved based on an analysis\n of risks. We believe its approach: to purchase the core financial system before completing\n an agency-wide architecture and acquisition strategy, and without a strong program office\n creates significant risks.\n\n To illustrate, one factor contributing to NMS problems was that            took shortcuts in\n reaction to perceived schedule pressures. For example, even though responsible officials\n urged management to postpone deployment until problems were corrected,                  deployed\n the system worldwide in October 1996 in order to meet its deployment schedule. Based on\n its experience with NMS,             has committed to follow disciplined practices in order not\n to repeat those mistakes. However, because              has not yet prepared a realistic risk\n adjusted schedule, it is not in a position to know whether its schedule goals are achievable.\n We believe a choice between following disciplined practices and meeting scheduled goals\n should be decided in favor of following disciplined practices.\n\n Additional management comments and our evaluation are located on pages 14 and 19.\n\n           complete comments have been included as Appendix Il.\n\n\n Thank you for the cooperation and assistance extended to our auditors during this assignment.\n\n\n\n\n                                                  2\n\n\x0cBackground\n\nThe FFMIA requires agencies to implement and maintain financial management systems that\ncomply substantially with federal financial management system requirements, applicable\nfederal accounting standards, and requirements to post transactions to the United States\nStandard General Ledger at the transaction level             Incorporating these capabilities will\nhelp         ensure that all assets, liabilities, revenues, expenditures and the full cost of\nprograms and activities are consistently and accurately recorded, monitored, and reported.\n\nThe Act also requires financial statement audit reports to address whether the financial\n\nmanagement system complies with these system and accounting requirements. In our\n\nMarch 2, 1998, report on            financial statements, we reported that the systems did not\n\nsubstantially           As required by the Act, our report described the nature and extent of\n\nnoncompliance, the cause of noncompliance, and the organization                     Because\n\n        had agreed to implement prior audit recommendations to correct the deficiencies, we\n\ndid not make additional recommendations.\n\n\nThe Act further requires the agency head to consider the audit report and other\nand make a determination as to whether the agency\xe2\x80\x99s financial management system\nsubstantially complies with the requirements. If the system does not substantially comply\nwith the requirements, the agency must prepare a remediation plan that includes the resources,\nremedies, and intermediate target dates needed to bring the system into substantial\ncompliance. In that case, the Act requires Inspectors General to report to the Congress if the\nagency does not meet the intermediate milestones identified in the plan. In a December 1998\nfinancial management system status report to the Office of Management and Budget (OMB),\n          Chief Financial Officer (CFO) reported that            systems did not substantially\ncomply with            requirements and presented a remediation plan to correct the problems.\n\nThe       \xe2\x80\x9cfinancial management system\xe2\x80\x9d deserves clarification, because it is sometimes\ninterpreted to refer only to accounting systems. However, OMB Circular A- 127, Financial\nManagement Systems, defines the term more broadly. Circular A- 127 calls on agencies to\nimplement single integrated              management system, which is a unified set of\nfinancial systems and the financial portion of mixed systems that are used to carry out\nfinancial management functions; manage financial operations; and report financial and\n\n\n              SGL provides a standard chart of accounts and standardized transactions that agencies use to record\naccounting transactions and events consistently across the federal government.\n\n             Reports on         Financial Statements,, Internal Controls, and Compliance for Fiscal Years 1996 and 1997,\n(Audit   Report No. 0-000-98-001-F, dated March 2, 1998).\n\n             companion report provided additional detail about the requirements and the nature and extent of\nsystem deficiencies. Audit of the Extent to Which         Financial Management System Meets Requirements Identified\nin the Federal Financial              Improvement Act of 1996, (Audit Report No. A-000-98-003-P, March 2, 1998).\n\n                                                            3\n\n\x0cperformance information to central management agencies, the Congress, and the public.\nFinancial systems are those that support the functions of tracking financial events, providing\nfinancial information to agency managers, or preparing financial statements. Mixed systems\nare those that support both financial and non-financial functions of the agency, such as\nsystems to process budgets, contracts, grants, or other acquisitions. The reason the term is\nbroadly defined is that the systems are expected to support not only basic accounting\nfunctions but also to provide the integrated budget, financial, and performance information\nmanagers need to (1) understand the implications of their decisions, (2) track the results of\ntheir programs, and (3) facilitate policy changes to improve operational efficiency or\neffectiveness.\n\n     \xef\xbf\xbd\n\n         Objective\nThis audit was designed to answer the following question:\n\n\xef\xbf\xbd        What progress has         made in bringing its financial management systems\n         into compliance with the Federal         Management Improvement Act of\n\n\nTo answer this question we analyzed (1) the extent to which the systems meet FFMIA\nrequirements, and (2) the adequacy of remediation plans to bring the systems into compliance\nwith the          Although we focused\xe2\x80\x99on analyzing             remediation plan, we also\nreviewed other                                 plans and activities to implement an effective\nfinancial management system. A full             of our scope and methodology is contained\nin Appendix I.\n\n\nSummary of Results\n        has made only limited progress improving its systems during the past year.\nSignificant improvements are not achievable until existing systems are replaced or\nmodernized-an effort that is scheduled to be completed in                      progress is also\nlimited by planning and organizational challenges that threaten its efforts to successfully\nmodernize its systems.          developed a remediation plan to correct the systems\xe2\x80\x99\ndeficiencies. However, the plan is not adequate because it is not based on a full information\nsystem architecture, a comprehensive acquisition strategy, or a detailed listing of planned\nactions to bring about an agency-wide integrated financial management system. These\nplanning deficiencies occurred, in part, because         executives have not implemented\norganizational changes that are needed to successfully acquire complex systems.\nOrganizational deficiencies include the fact that        executives have not established a\nprogram management office with sufficient staff, expertise, and authority to ensure that\nmodernization efforts are implemented successfully.\n\x0c                 \xef\xbf\xbd\n\nAudit Fmdmgs\n\n         Financial Management System Does Not\n\nYet Substantially Comply With FFMIA Requirements\n\n        managers have committed to follow disciplined practices to modernize\nsystems and have taken several steps to do so. However, during fiscal year 1998,\nfinancial management systems did not yet comply substantially with (1) federal financial\nmanagement system requirements, (2) applicable federal accounting standards, and (3)\nrequirements to post transactions to the United States Standard General Ledger at the\ntransaction level.          recognizes that, because its financial management systems do not\nincorporate these accounting and systems\xe2\x80\x99 requirements, managers do not always receive the\ncomplete, reliable, timely, and consistent information they need to reliably report financial or\nperformance results or efficiently manage agency operations.             has decided to report\nthis condition in its fiscal year 1998 Accountability Report, and is taking action to implement\na financial management system that complies with these\n\nAdditional information describing these systems\xe2\x80\x99 requirements and the degree to which\n       systems comply with each requirement is presented in Appendix\n\n               Remediation Plan Is Not Adequate\n        also faces planning and management challenges that could threaten its progress\nmodernizing its systems. In particular, the remediation plan the CFO developed to bring\nsystems into compliance with FFMIA is not adequate. First, because the Chief Information\nOfficer (CIO) has not completed an agency-wide information technology architecture6 to\nguide and constrain planned investments,           lacks assurance that its new systems will\noperate effectively together, support business needs, and provide adequate security. Second,\nthe acquisition strategy-to replace one component of the financial management system\nbefore adequately analyzing other business needs and system alternatives-may preclude\n        from implementing the most cost effective system. Third, the lack of supporting\nplans describing the remedies (projects and tasks), resources, and interim milestones\n(schedules) needed to correct the deficiencies, creates a substantial risk of delays, cost\nincreases, and system performance shortfalls. At this time,             has not met\nrequirements to justify new system investments.\n\n\n\n                 is one of six agencies participating in the 1998 Agency Pilot Accountability Reports, which are to be\nsubmitted on March 31, 1999.\n\n               architecture is a blueprint or high level description of how the systems will interact to accomplish agency\nmission requirements in a cost effective manner. It focuses on describing the relationships among business functions,\nwork processes, information flows, and technology. It also describes standards to be followed to ensure that systems will\ninteroperate, provide security, and be implemented in a disciplined manner.\n\x0c             Has Not Developed an \xe2\x80\x99\n       Information          Architecture\n\n A sound and integrated information. technology architecture is essential to successfully\n implement a complex system modernization effort. Although an architecture is required\nlegislation and OMB guidance,              CIO has not yet completed an agency-wide\n information technology architecture to guide and constrain its planned investments. As a\n result,        lacks assurance that replacement systems will operate together effectively,\n support business needs, or provide adequate security and management controls.\n\nThe Clinger-Cohen Act makes the CIO responsible for developing, maintaining, and\nfacilitating the implementation of an agency\xe2\x80\x99s information technology architecture. This\nresponsibility includes ensuring that (1) the requirements for Agency-sponsored information\nsystems are aligned with the processes that support the agency\xe2\x80\x99s missions and goals, (2)\ninformation systems have adequate interoperability, redundancy, and security, and (3) the\nagency applies and maintains a collection of standards to evaluate and acquire systems.\n\nThe General Services Administration (GSA) recently pointed out that it is highly unlikely that\na complex system can be successfully implemented if it is not based on a sound, integrated\narchitecture. The architecture is essential because it provides a blueprint of how related\nagency systems will be acquired and will work together to achieve strategic mission goals and\nsatisfy business requirements. Separate architectures describe both the currently operating\nsystems environment, called the \xe2\x80\x9cbaseline\xe2\x80\x9d or \xe2\x80\x9cas is\xe2\x80\x9d architecture, and the planned systems\nenvironment, called the \xe2\x80\x9ctarget\xe2\x80\x9d or \xe2\x80\x9cto be\xe2\x80\x9d architecture. Because organizations face a number\nof different and often conflicting choices when implementing a complex system, it is\nimportant that they consider mission requirements and organizational goals and constraints\nwhen developing the architecture. Once the architecture is completed, managers use it to both\nguide and constrain the acquisition and implementation of new technology.\n\n OMB has provided guidance describing minimum requirements for an information technology\n architecture. The guidance, contained in            Memorandum 97-16 calls for agencies to\n develop. both an enterprise architecture and a technical reference model and standards profile.\n The enterprise architecture describes the relationships among agency business processes and\n activities, business applications, data descriptions, and the technology infrastructure. The\n technical reference model describes information services that are used throughout the agency,\n such as database standards, communications functions, and system security requirements. The\n standards profile defines standards and specifications to ensure compatibility among system\n components. Profiles are often based on commercial or industry standards to help\xe2\x80\x99 the agency\n obtain compatible components. To be complete, the standards need to address hardware,\n software, user interfaces, communications, data management, and implementation approaches.\n The guidelines also emphasize the importance of implementing a comprehensive set of\n computer security standards to ensure that systems and                are protected from\n unauthorized alteration, loss, or destruction.\n\n\n                                                6\n\n\x0cAlthough an architecture is critical to the successful implementation of an integrated financial\nmanagement system,              has not yet developed such an architecture. According to\n         documents and responsible officials, the architecture is scheduled to be completed by\n          systems integration contractor in May 1999.               NMS Executive Team\nmeeting minutes show that the team has discussed the importance of developing a complete\narchitecture to guide implementation of an effective financial management system, the team\ndecided to proceed to acquire a replacement core financial system before completing the\narchitecture. The team decided to proceed on the basis of a preliminary architecture, which\nalso has not yet been completed. Although             will not have a complete architecture, its\nschedule calls for it to issue a Letter of Interest      to vendors in early 1999 requesting\nproposals to replace the core financial system with a commercial off-the-shelf system. As a\nresult, decisions to date have not been guided by an architecture.\n\n Also,           documents show that this preliminary architecture, even when completed, will\n cover only the core financial system and requirements to support the FM organization. As a\n result, it will not meet OMB guidance to address agency-wide requirements related to\n security, or other financial management systems, including procurement, budget, operations,\n human resources, payroll, property, and inventory. Our prior reports show that these systems\n      do not meet FFMIA requirements and             will need to modernize or replace them to\n comply with federal accounting and system requirements.\n\n According to         officials, the planned LO1 will include the preliminary architecture.\nHowever, because the preliminary architecture will not contain sufficient information to\n describe key elements of the agency-wide architecture, the LO1 may not include sufficient\n             about         for vendors to properly bid on a replacement for the core financial\n system. Further, without an agency-wide architecture, vendors may not be able to propose a\n system that best meets            needs and         may not be able to properly evaluate\n vendor offers to ensure that the proposed system will align with other business processes and\n provide adequate interoperability, redundancy, and security. Accordingly,          risks\n selecting a replacement system that will not meet agency-wide business needs or provide\n adequate security.\n\n Security requirements provide a good illustration of the impact of proceeding without a\n complete architecture. A well-designed architecture decreases the risk of implementing\n systems that provide inadequate security. However, because the preliminary architecture will\n not include a description of security standards or approaches,         is at risk of acquiring a\n system that does not support overall agency security requirements. Meeting security\n requirement is particularly important at         because pervasive computer security\n deficiencies have led         managers to identify computer security as an agency-wide\n material management control weakness. Without security standards, managers will not have a\n guide to ensure an integrated security approach for the replacement of its financial\n management systems.              computer security program needs to operate across all\n financial management systems to prevent unauthorized access to financial data and resources.\n Without an architecture to describe how such a program will operate across future financial\n\n                                                7\n\n\x0cmanagement systems, a security program may operate effectively on a replacement for the\ncore financial system, but may not operate effectively across other financial management\nsystems.\n\nOverall,          plan to proceed to acquire a replacement core financial system before\ncompleting an agency-wide information technology architecture significantly increases risks\nand repeats a costly mistake that occurred when          recently developed the New\nManagement System (NMS). In that case, the core financial subsystem, called AWACS,\ndeveloped independently of the other subsystems. A primary cause of subsequent NMS\ndeficiencies was that the subsystems did not operate in an integrated manner. The fact that\nthe subsystems were designed and developed independently is also a significant contributor to\npervasive security deficiencies.\n\n             Has Not Developed a\n       Comprehensive Acquisition Strategy\n\n        has also not developed a comprehensive acquisition strategy to implement an\nintegrated financial management system that meets federal accounting and system\nrequirements.           current remediation plan is based on an acquisition strategy that\ncontemplates replacing the core financial component of its financial management system\nbefore adequately analyzing its other business needs and developing a modular acquisition\nstrategy. This approach may preclude           from implementing the most cost effective\ncombination of systems.\n\nThe plan calls for         to acquire a commercial core financial system with a managerial\ncost accounting component. Some of              older/legacy accounting systems would be\neliminated and some financial management responsibilities would be outsourced. Under this\nstrategy,        plans to integrate the new core financial system with the remaining three\nNMS subsystems (Procurement, Budget, and Operations).\n\nHowever, the strategy does not address other important financial and mixed systems that\nprovide financial management information. These systems, which must operate together to\nmeet federal requirements, include human resources, payroll, property management, and\ninventory systems. We also previously reported that the three NMS subsystems suffer from\nsignificant performance and security deficiencies and do not meet FFMIA requirements.\xe2\x80\x99\nAlthough the Assistant Administrator for Management (AA/M) agreed to complete an analysis\nto identify the most cost effective approach to correct these deficiencies in response to that\nreport,         has not done so. Because            has not completed that analysis, it does not\nhave the information needed to assure that its plan to integrate these three NMS modules with\nthe core          system represents the most cost effective approach.\n\n\n\n        \xe2\x80\x98Report on Audit of the New Management System   Status. (Audit Report No. A-000-98-004-P. dated\nMarch 31, 1998).\n\n                                                   8\n\n\x0cThe timing of the analysis is important because contractors who bid on the core financial\nsystem may also offer related procurement, budget, and other modules that could meet\n          needs. Unless requirements for these functions are well enough defined for the\ncontractor to bid on them, however,             may not be in a position to select the vendor that\noffers the best overall solution. To illustrate, without first identifying its business needs and\nanalyzing other financial management components (i.e., budget, procurement, operations, and\nhuman resources),           risks selecting a core financial system replacement that will not be\nthe best overall solution for the Agency. That is, it may meet the business needs of the\nFinancial Management Division, but it may not be sufficiently expandable or adaptable to\nintegrate with or meet the business needs of other financial management functions.\n\nFurther, without analyzing other financial management functions,             will not be in a\nposition to reliably conclude that it has focused on the business areas that will provide the\nhighest risk adjusted return on investment. For example, human resources, payroll, and small\npurchases may provide a higher return than the other NMS subsystems.\n\nAlthough          managers recognize the need for a comprehensive strategy, they have not\nyet completed such a strategy. As early as March 27, 1998, NMS Executive Team meeting\nminutes noted the need to create an integrated vision so that it could make decisions\nregarding investment strategies, develop plans, and apply performance indicators to monitor\nprogress toward achieving results. To date, however, the team has not created such a vision,\nor developed a strategy, plans, or performance measures. Until            considers all\nand mixed financial systems, analyzes alternatives, and streamlines its business processes, it\nwill not be in a position to         a modular acquisition strategy or a sound economic\nbusiness case to demonstrate that it has selected the best alternative.\n\n           current approach also does not meet OMB\xe2\x80\x99s guidelines for evaluating information\ntechnology investments\xe2\x80\x99 or preparing and submitting budget                 OMB\xe2\x80\x99s guidelines for\ninformation technology investments emphasize the need to take a comprehensive approach to\nselect, control, and evaluate information technology investments. To select investments for\nfunding, the guide calls on agencies to define a portfolio of investments by screening project\nproposals; analyzing risks, benefits, and costs; and prioritizing and funding projects based on\nrisk adjusted returns on investment. Although the process calls for discipline and structure in\ndeveloping an investment strategy, it also provides flexibility by recognizing that the amount\nof documentation and depth of analysis will vary depending on the type of project and its\nacquisition phase. For example, less information would be required for projects in the early\nplanning stages than for projects that are ready for implementation. Thus, investment analysis\nis an iterative process that provides more precise information to decision makers as the\n\n\n       *Evaluating Information Technology Investments: A Practical Guide (Office of Management and Budget,\nNovember 1995).\n\n          Circular A-l 1, Preparation and Submission of Budget Estimates        of Management and Budget,\nNovember 1998).\n\x0cproject matures. OMB\xe2\x80\x99s budget submission requirements also call for a comprehensive\napproach to justify investments. The justification requires a description of the acquisition\nstrategy, including a description of competition and modular acquisition approaches.\n\n       Supporting Plans Do Not\n       Contain Sufficient Information\n\nTo correct the deficiencies in its financial management system          began planning, during\nfiscal year 1998, to develop an effective agency-wide integrated financial management system\nthat will meet all federal accounting and system requirements. However, these plans are not\nadequate to meet OMB directives and best practice guidelines. Experience shows that without\nadequate plans, management can have little assurance that systems will be successfully\ndeployed within cost and schedule estimates. Because planning is a fundamental element of\nsound information technology acquisition practices, acquiring system components before\ndeveloping comprehensive plans at the proper level of detail increases risks of encountering\ndelays and cost increases.\n\nAs required by OMB guidance for preparing budget requests (OMB Circular A-l\nsubmitted a remediation plan to OMB in December 1998.                  plan describes its\napproach to implement an integrated financial management system that satisfies federal\nsystem requirements described in the FFMIA. OMB\xe2\x80\x99 Circular A-l 1 requires plans to\ndescribe current systems and their major deficiencies; planned systems and the strategy for\nimplementing those systems; and the projects required to move from the existing to the new\nsystem configuration, including the remedies, resources, and interim milestones needed to\ncorrect deficiencies. OMB also requires agencies to include an inventory of current and\nplanned systems as well as schematics describing the relationships among current and among\nplanned systems. Although OMB does not require agencies to submit detailed plans, the\nability to provide the required information provides an indicator of the status of agency\nplanning activities.\n\nHowever, neither the remediation plan nor supporting plans contain the information called for\nin OMB\xe2\x80\x99s guidance. Instead, the remediation plan focuses almost exclusively on accounting\nsystems controlled by            Financial Management Division and does not describe all\nsignificant current or planned financial management systems. Although it briefly mentions\nthe other three NMS modules (procurement, operations, and budget) it does not address other\nmixed systems such as personnel, payroll, property management, and inventory systems. It\nalso does not fully describe the problems associated with the current systems--especially\nproblems that have prevented the three NMS modules from operating effectively and\ncomputer security and internal control deficiencies. Nor does the plan include a full\ninventory of current or planned financial management systems or schematics describing\nsystem relationships.\n\nFurthermore, the plan does not adequately describe the projects needed to meet federal\nrequirements or the remedies, resources, and intermediate target dates that are called for by\n\n                                                10\n\n\x0cthe FFMIA and            guidance.         managers are not in a position to identify the\nprojects that will remedy its noncompliance with FFMIA requirements because they have not\ncompleted an architecture, analyzed alternatives, or developed an acquisition strategy.\n\nRegarding resource requirements,             plan estimates that it will cost $13.5 million to\nfully implement the remediation plan, but that estimate significantly understates the costs\nrequired because it only covers the cost to replace the core financial system. An independent\ncost estimate prepared in early 1998 by a          contractor estimated that it would cost over\n$50 million to bring           systems into compliance with FFMIA requirements.\n\nRegarding milestones, the plan describes a mix of activities with a broad range of dates.\nActivities and milestones include: improving accountability                strengthening the\nFinancial Management organization                improving financial management systems\n             conducting internal control reviews               improving asset management\n             and generating audited financial reports (1998-2002). Some of the financial\nsystem milestones are shown in the chart below:\n\n...\n.. ...\n\n\n\n\n[\n                      Description of Financial Systems Activity                  Schedule\n         Ensure all Agency financial systems conform to A-127 and JFMIP       1998-2000\n         \xe2\x80\x9ccore\xe2\x80\x9d requirements\n         Develop an operational data warehouse/corporate database              1998-2000\n         Develop/implement replacement accounting system                       1998-2000\n         Develop upgraded management information systems for budgeting and    1998-1999\n         program management\n\n\nAlthough one manager maintains an informal plan for the \xe2\x80\x9cdevelop/implement replacement\naccounting system\xe2\x80\x9d project, that plan has not been reviewed and approved by management.\nValidated and approved plans would provide senior managers with a better basis to assess\nwhether targets are achievable, measure progress, and hold managers and developers\naccountable for achieving objectives. We believe the lack of supporting planning details\ncreates a substantial risk of delays, cost increases, and system performance deficiencies.\n\n                          Not Met OMB Requirements\n\n              to Justify New System Investments\n\n\nA series of rules, referred to as Raines\xe2\x80\x99 Rules, reflect key OMB and legislative concerns and\nprovide a framework for evaluating information technology investments. They also provide a\n\n                                                    11\n\n\x0cframework for justifying funding for investments in major information systems. These rules\nare incorporated in OMB\xe2\x80\x99s Circular A-l 1 guidance to agencies for preparing budget requests.\nThe eight Raines\xe2\x80\x99 Rules require that, to be considered for funding in the President\xe2\x80\x99s budget,\ninformation systems investments should:\n\n       Rule No. 1:\t Support core/priority mission functions.\n\n       Rule No. 2:\t Be undertaken because no alternative private sector or government\n                    source can efficiently support the function.\n\n       Rule No. 3:\t Support work processes that have been simplified or otherwise\n                    redesigned to reduce costs, improve effectiveness, and make maximum\n                    use of commercial off-the-shelf technology.\n\n       Rule No. 4:\t Demonstrate a projected return on investment that is clearly equal to or\n                    better than alternative uses of available resources.\n\n       Rule No.       Be consistent with the information architecture which integrates work\n                      processes and information flows with technology to achieve strategic\n                                specify standards to enable information exchange and\n                      resource sharing.\n\n       Rule No. 6:\t Reduce risk by: avoiding or isolating custom-designed components...;\n                    using fully tested pilots, simulations, and prototypes...; and establishing\n                    clear measures and accountability for project progress.\n\n       Rule No. 7:\t Be implemented in phased, successive chunks.\n\n       Rule No. 8:\t Employ an acquisition strategy that appropriately allocates risk between\n                    government and the contractor.\n\nUsing Raines\xe2\x80\x99 Rules as a guide, we found that            had not met Rules No. 3, 4, 5, 6 and 7\nand concluded that           has not met OMB\xe2\x80\x99s requirements to justify new system\ninvestments. Rule No. 3 was not met because business areas other than core accounting have\nnot been subject to process redesign. Rule No. 4 was not met because               has concluded\nthat the core financial system and other NMS modules have the highest rate of return on\ninvestment, even though other areas have not been fully analyzed. For example, human\nresources, payroll, and small purchases modules may have a higher return on investment than\na large procurement module. Rule No. 5 has not been met because                had not\ndeveloped a system architecture to guide NMS replacement efforts. Rule No. 6 has not been\nmet because           has not identified clear measures and accountability for project progress.\nRule No. 7 has not been met because             is proceeding to acquire the first component in\na modular acquisition without having defined the other components.\n\n\n                                               12\n\x0c       Remediation Plan Conclusion\n\n       and Recommendations\n\n\nThe planning weaknesses identified in this report provide an early indicator that           is at\nrisk of repeating past mistakes that led to deployment of a system that did not operate\neffectively. Parallels with the earlier effort include the lack of an agency-wide blueprint\nbefore beginning development, the fact that the core financial system replacement is being\nconducted in isolation from other financial management systems, and the lack of an integrated\nstrategy supported by an investment analysis and detailed plans. To address these planning\nissues, we recommend the following:\n\n       Recommendation No. 1:       We recommend that, before approving proposals to\n       acquire any financial system component, the Chief Information Officer:\n\n       1.1\t    complete an agency-wide information technology target architecture that\n               contains all elements identified in       guidance at a sufficient level of\n               detail to provide a high degree of assurance that         financial\n               management system enhancement projects are consistent with the target\n               architecture; integrate redesigned work processes and technology to\n               achieve the Agency\xe2\x80\x99s strategic goals; and conform to standards for\n               information exchange, security, and resource sharing;\n\n       1.2\t    use the target architecture to define       financial management system\n               portfolio in accordance with OMB\xe2\x80\x99s guidelines for selecting information\n               technology investments;\n\n       1.3\t    complete a modular acquisition strategy that (a) reduces integration risk\xe2\x80\x99\n               and leads to an integrated financial management system as defined by\n               OMB Circular A-127.\n\n        1.4\t   revise and update the remediation plan and develop sufficiently detailed\n               supporting plans.\n\n\n       Management Comments and Our Evaluation\n\nResponding to the remediation plan section, management provided a detailed discussion of the\nissues and stated that it (1) was in the process of developing an information technology\narchitecture, (2) planned to use a modular acquisition strategy, and (3) planned to update and\nstrengthen its remediation plan..          appeared to generally agree with the draft report\xe2\x80\x99s\nfindings and recommendations, but the detailed response contained several qualifications and\nsuggested modifications to the recommendations. Due to the fact that we incorporated some,\nbut not all of the suggested changes to the recommendations, it is unclear whether             has\nreached a management decision to implement the recommendations.\n\n                                                13\n\x0cRegarding the need for a comprehensive information technology target architecture, the\ncomments stated that           was discussing, with its PRIME contractor, a             to\nvalidate the baseline architecture, address gaps in the business model, and establish an\napproach to complete a target architecture. The comments stated that the architecture would\nbe completed in June 1999, and would contain a sufficient level of detail to (1) ensure that\n          financial management system investments integrate work processes and technology\nto achieve the Agency\xe2\x80\x99s strategic goals and objectives, and (2) conform to standards for\ninformation exchange and resource sharing among financial and mixed-financial systems.\nHowever, the comments also indicated that the level of detail required to support the\nacquisition of the core accounting system was still under discussion and that a condensed\nversion of the architecture might contain a sufficient level of detail to proceed.\n\nWe believe          needs to develop an agency-wide architecture that includes all elements\nrequired by OMB to guide the acquisition of a core financial system in order to successfully\ndeploy an integrated financial management system. We believe the architecture should\ncontain sufficient detail to reduce risks to a relatively low level before          acquires any\nfinancial management system component. To illustrate, although all financial management\nfunctions should be addressed,            might not need to fully describe all information flows\nfor a function that does not have a significant financial impact. We modified our\nrecommendation to recognize that the                    of what constitutes a sufficient level of\ndetail should be based on the level of risks. Because we revised the recommendation to\ninclude consideration of risks, it is unclear whether           has reached a management\ndecision to implement Recommendation No. 1.1.\n\nRegarding the need for a comprehensive acquisition strategy;           stated that it would use\na modular acquisition strategy to identify potential capital investments. Further, it explained\nthat the core financial system investment has been sequenced as the first investment to\naddress the material weakness in the primary accounting system. Management stated its\ncommitment to a modular strategy that will take advantage of evolutions in technology, limit\nthe use of custom developed system components, and reduce integration risks by applying\narchitectural standards. Following the acquisition of the core financial system, additional\ninvestment analysis and acquisition planning would be initiated for the next incremental\ninvestment. Management stated that this approach meets the statutory preference for modular\ncontracting, while the approach we recommended would require substantial additional\ninvestment analysis without knowing the opportunities presented by the selected product.\n\nAlthough this approach represents a significant improvement over that described in the\nremediation plan, it appears that         still plans to acquire the first module before\nidentifying and analyzing the other modules that will make up the financial management\nsystem. We continue to believe that             needs to identify and analyze the other modules\nbefore proceeding with the first component. GSA\xe2\x80\x99s modular acquisition guide points out that\na key element of a modular strategy is understanding, before deciding to buy individual\ncomponents, what modules will make up the system and how the various components can be\nintegrated into a single system. Identifying the modules, in turn, requires a high level logical\n\x0csystem design. In addition, to assure that agencies achieve the highest risk adjusted rate of\nreturn their investments,           guidelines for managing capital investments call for each\nagency to create a portfolio of investments, based on economic analyses. On the other hand,\nwe recognize that the amount of information available early in the acquisition process may be\nlimited, and that subsequent analyses may be needed to refine the strategy and better sequence\ncomponents. Because our draft report may not have clearly described this distinction, we\nrevised the report and the recommendations to better describe the need for an iterative\ninvestment analysis process. Because the report and recommendations have changed, it is\nunclear whether          has reached a management decision to implement Recommendation\nNos. 1.2 and 1.3.\n\nRegarding the need to revise the remediation plan, the comments stated that the plan was\npreliminary and would be revised following completion of the investment analysis and\ndetailed acquisition planning. We do not believe it is necessary or appropriate to wait until\ndetailed acquisition plans are complete to revise the remediation plan. The remediation plan\nis a legislative requirement that calls for identification of the resources, remedies, and\nintermediate target dates needed to bring the system into substantial compliance with federal\nrequirements. Further, OMB guidance for preparing budget requests identifies the minimum\nrequirements for a remediation plan including a description of current systems and their\ndeficiencies, planned systems and the strategy for implementing them, and the projects\nrequired to move from the existing to the new system configuration.               should be able\nto meet these minimum requirements when it completes a modular acquisition strategy. We\nrevised the recommendation to provide this time frame. Because the recommendation has\nchanged, it is unclear whether           has reached a management decision to implement\nRecommendation No. 1.4.\n\n\nOrganizational Deficiencies\nContinue to Hinder Efforts\nto Implement Systems\n        executives have committed to correct management deficiencies that have, in the past,\nprevented successful modernization of             financial management systems. However,\ncontinuing organizational deficiencies contribute to           failure to complete an\nwide information system architecture, develop an integrated modular acquisition strategy,\nprepare detailed planning documents, and comply with Raines\xe2\x80\x99 Rules. Organizational\ndeficiencies include the fact that        executives have not established a program\nmanagement office with sufficient staff, expertise, and authority to ensure that modernization\nefforts are implemented successfully. In addition, a companion report concluded that\n\n\n\n\n                                                15\n\n\x0cexecutives had not delegated to the CFO the responsibility and authority to develop and\nmaintain all financial management systems as required by the CFO Act.\xe2\x80\x9d\n\n         executives recognize that more effective information resource management processes\nare essential to implement systems that meet FFMIA requirements. During fiscal year 1998,\n         executives authorized a number of important steps to strengthen organizational control\nand institute disciplined information technology investment management processes. To\nillustrate, in May 1998,           hired a contractor to assist with information technology\nplanning, technical direction, oversight, policy formulation, system acquisition, and\nmanagement practices. The contractor is expected to help                improve its application of\ndisciplined processes as it moves to modernize its financial management systems. In addition,\nthe Financial Management Division has made significant progress implementing disciplined\npractices to modernize the core accounting functions. These               hiring a contractor to\nassist in its efforts to streamline business processes and to implement an effective core\nfinancial system.\n\n               Has Fragmented the\n        Chief Financial Officer\xe2\x80\x99s Responsibilities\n\nAs reported in our audit of           consolidated financial statements, internal controls, and\ncompliance for fiscal year 1998, we found that            has not assigned its CFO the\nresponsibility and authority to ensure that all financial management systems satisfy\nwide information requirements. That report pointed out that The Clinger-Cohen Act of 1996\nmakes the head of each agency, in consultation with the Chief Financial Officer and Chief\nInformation Officer accountable for establishing policies and procedures that ensure system\ndevelopment activities successfully meet agency information needs. Although these officials\nhave taken positive steps to correct the financial management system deficiencies, fragmented\nline management responsibilities continue to hinder             efforts to correct the\ndeficiencies.\n\n          CFO has not been delegated the responsibility or authority to oversee financial\nmanagement activities other than basic accounting functions. In particular, the CFO has not\nbeen delegated the specific responsibility for the information systems that support the\nperformance measurement, budget, human resource, or procurement functions. Thus, the CFO\nlacks the authority to implement an effective integrated financial management system.\n\nFor this reason and due            financial management and performance measurement\ndeficiencies identified, that report recommended that the CFO work with the CIO and other\nsenior executives to:\n\n\n\n\n             Reports on          Financial Statements, Internal Controls, and Compliance for Fiscal Years 1997 and\n1998, (Audit Report No. 0-000-99-001-F, dated March 1, 1999).\n\n                                                        16\n\x0c      Determine the specific responsibility, authority, and resources needed to meet the\n      requirements of the Chief Financial Officers Act of 1990, which assigns the Chief\n      Financial Officer responsibility to (1) develop and maintain an integrated accounting\n      and financial management system, (2) approve and manage financial management\n      system design and enhancement projects; and (3) develop a financial management\n      system that provides for systematic measurement of performance.\n\n       Request that the Administrator specifically delegate adequate responsibility, authority,\n       and resources to the Chief Financial Officer to satisfy those Chief Financial Officers\n       Act responsibilities.\n\n       Implement policies and procedures to carry out the responsibilities delegated by the\n       Administrator.\n\n            Lacks a Program\n\n       Management\n\n        continues to manage modernization efforts through committees rather                       .\nthe recommended program office management structure. Although a strong program office\nled by a program manager with the skills, authority, and responsibility needed to plan and\nimplement major systems is recognized to be a key success factor,           does not use a\nprogram management approach to manage its financial management modernization efforts.\nInstead,         executives managethe modernization effort by building consensus among\nresponsible officials about the best course of action. As a result,         program\nconsists of one individual who has no authority to make modernization decisions.\n\nBased on industry experience and the program performance mandates of the Government\nPerformance and Results Act, the Federal Acquisition Streamlining Act, and the\nClinger/Cohen Act, \xe2\x80\x9cbest practices\xe2\x80\x9d call for the creation of a strong program office to\nimplement the acquisition of information technology systems. Best practices also call for this\noffice to be headed by a program manager who is responsible for ensuring that an\norganization\xe2\x80\x99s long-term and             needs are met by its planned acquisitions. The\nprogram manager should be responsible for establishing program performance goals, ensuring\nthat acquisitions are adequately planned and implemented, preparing program-related portions\nof solicitation documents, and monitoring contractor performance. The General Services\nAdministration has also stated that an effective program office is essential to a successful\nmodernization project.\n\nAudit reports and other studies have repeatedly recommended that         strengthen its\nmanagement processes, but           has not done so. The deficiencies were first pointed out\nin a study conducted by the Software Engineering Institute in June 1995 which cited\nundisciplined management processes, undefined organizational roles and responsibilities, and a\npoorly defined decision-making and commitment process as risks to the project\xe2\x80\x99s success. In\n\x0ca March 1997 report\xe2\x80\x9d we recommended\xe2\x80\x99 that               appoint a senior manager to manage the\nNMS project and direct the project manager to (1) analyze NMS deficiencies, (2) implement\ndisciplined practices, and (3) identify alternative implementation strategies. A February 1998\nreport on the NMS development process, performed under a contract with the General\nServices Administration\xe2\x80\x99s Federal Systems Integration and Management Center, concluded\nthat         does not have an NMS development organization with clearly defined roles,\nresponsibilities, and authorities. The report further concluded that this diffusion of\nresponsibility had fragmented efforts and eroded accountability for results. Among other\nproblems, the study pointed out that (1) a culture of informal communications and\nmanagement by committees and consensus inhibit timely and effective                        (2)\nthe fragmented and complex NMS organization discourages accountability and inhibits\nproductivity; and (3) the lack of a well defined project management process inhibits\nconsistent delivery of products on time and within budget.\n\nAlthough          appointed a program manager for NMS in response to our March 1997\nreport, the manager was not provided staff or decision-making authority and program\nmanagement responsibility and authority still are not clearly defined. The NMS program\nmanager has no staff and no authority to direct modernization activities. Instead, this official\nacts as a coordinator who attempts to build consensus among various individuals and\norganizations participating in the modernization effort.         also has an NMS Executive\nTeam Board, whose members include the CIO (Chairman), CFO, and heads of other offices\nincluding Budget, and Procurement. The Board is responsible for providing management\noversight of NMS program activities, providing guidance to the NMS program manager and\nother involved offices and work teams, and managing NMS risks. The Board attempts to\noperate by consensus, but the charter calls for decisions to be made by voting. In addition,\ntwo integrated product teams have been formed to direct implementation of the core\naccounting system and the managerial cost accounting system. The following organization\nchart shows           organizational structure for managing its modernization project.\n\n\n\n\n          Audit of the Worldwide deployment of the New Management System    (Audit Report No.\n97-004-P).\n\n                                                  18\n\x0cIT Investment Management\n\n\n\n\n The lack of a program management           function with the authority to make decisions and\n the resources to implement the decisions significantly increases the risk that\n modernization efforts will encounter delays and cost increases and that the system will not\n operate effectively when deployed. In fact, the planning deficiencies cited in this report\n might not have occurred if a strong program manager had the authority to enforce disciplined\n practices.\n\n                                              19\n\n\x0c       Conclusion and Recommendation\n\n       on Organizational Deficiencies\n\n\n        has committed to correct the management deficiencies that have, in the past,\nprevented successful implementation of a financial management system that meets federal\naccounting and system requirement.            has also taken several important steps in that\ndirection by establishing an investment review board, hiring a systems integration contractor,\nand following disciplined practices to replace the core financial system.\n\nHowever, because organizational deficiencies appear to be at the root of the planning\nweaknesses,           executives need to ensure that the CFO and CIO work together to\nenforce disciplined system development practices throughout the agency, including the use of\na strong program management office to guide modernization efforts. To address this\norganizational issue, we recommend the following:\n\n       Recommendation No. 2:         We recommend that the Chief Information Officer\n       work with      Chief Financial Officer and the Assistant Administrator for\n       Management to establish a strong program management office or function, with\n       sufficient responsibility, authority, and resources to apply disciplined practices to\n       implement financial management system improvements.\n\n\nManagement Comments and Our Evaluation                            .\n\nResponding to the draft report\xe2\x80\x99s organizational deficiencies section,        management\nstated that it had established a financial management integrated product team to oversee the.\nbusiness planning and investment analysis phases of the project and that this approach met\nfederal guidance and best practice requirements. Management also stated that           would\norganize and staff a program management team once the investment review board approved\nthe proposed core financial system investment. The team, under the direction of a designated\nprogram manager would then develop detailed plans to acquire the core financial system.\n         also referred to the team as a program management function rather than an office,\nbecause an \xe2\x80\x9coffice\xe2\x80\x9d is a specific organizational unit at\n\nWe do not believe this response adequately addresses the findings and recommendation to\nestablish a strong program management office--or function. The response indicates that\n        plans to continue to postpone implementing a strong program management office\nfunction with a program manager who is responsible and accountable for the success of the\nproject. As pointed out in this report,        has a long history of reluctance to implement\nthis recommended managementapproach. We believe the continuing lack of an effective\nprogram office function accounts, in part, for the fact that, two years later,        has not\ncompleted an architecture, modular acquisition strategy, or sufficiently detailed plans.\n\n\n\n                                               20\n\n\x0cWe also disagree with          management\xe2\x80\x99s assertion that its current approach meets federal\nguidance and best practice requirements. According to responsible officials, USAID believes\nthat it implemented a Department of Defense best practice by instituting an integrated product\nteam. However, integrated product teams at the Defense Department are part of a strong\nprogram management office. The teams report to the program manager and carry out\nresponsibilities assigned by the manager. At            the team does not report to\nmanager and has not been assigned responsibility to implement an integrated financial\nmanagement system. The team is only responsible for implementing the core financial\nsystem, which demonstrates the continuing fragmented nature of               organizational\nstructure. A key reason that          has not developed integrated financial system\nmodernization program is that it has not established a single integrated program office\nfunction. This report points out that         is repeating past mistakes by fragmenting\nresponsibility and allowing one system component to proceed disconnected from the others.\nThe lack of an program management            responsible for implementing an integrated\nsystem, in our view, is a major contributor to these continuing difficulties.\nmanagement has not reached a decision to implement Recommendation No. 2.\n\n\n\n\n                                              21\n\n\x0c                                                                               APPENDIX I\n                                                                                Page 1 of 2\n\n\n\n\nScope\nOur review of the extent to which            financial management systems met the.\nrequirements of the Federal Financial Management Improvement Act of 1996 included\ndetermining, as of September 1998, whether              financial management systems\ncomplied substantially with federal requirements for financial management systems, applicable\nfederal accounting standards, and the requirement to post transactions to the United States\nStandard General Ledger at the transaction level, as required by Section 803(a) of the Federal\nFinancial Management Improvement Act of 1996. To reach conclusions about the extent to\nwhich financial management systems substantially comply with federal accounting and system\nrequirements, we reviewed the results of audit reports we issued in fiscal years 1997 and 1998\nthat identified financial management system deficiencies as well as management and\ncontractor assessments. We also reviewed evidence gathered during the audit of\nfinancial statements and confirmed the continued existence of the deficiencies with officials\nfrom the Financial Management and Information Resources Management Divisions.\n\nWe also reviewed the adequacy of            plans to correct the systems deficiencies,\nconsidering planning to be a key indicator of progress. The scope of our work related to\nplanning included those financial management systems which were operational in\nduring fiscal year 1998 and planned improvements described in            \xe2\x80\x9cChief Financial\nOfficer Strategic Plan Fiscal Years 19982002.\xe2\x80\x9d To reach a conclusion we reviewed the\nremediation plan as well as supporting plans and other documents describing\nanalyses and we discussed relevant issues with responsible managers.\n\nThis audit was conducted between December 1, 1998, and January 15, 1999 in accordance\nwith generally accepted government auditing standards. Field work was conducted primarily\nin          Bureau for Management, Office of Financial Management, Office of Information\nResources Management, and Office of Human Resources in Washington, D.C.\n\x0c                                                                               APPENDIX I\n\n\n\n\nMethodology\nTo evaluate the extent to which financial management systems substantially comply with\nfederal accounting and system requirements, we reviewed audit reports covering financial\nmanagement issues during fiscal years 1997 and 1998, reviewed            documents\ndescribing financial management system capabilities and deficiencies, and interviewed\nofficials to update FFMIA compliance findings from the \xe2\x80\x9cAudit of the Extent to Which\n           Financial Management System Meets Requirements Identified in the Federal\nFinancial Management Improvement Act of 1996,\xe2\x80\x9d Audit Report No. A-000-98-003-P dated\nMarch 2, 1998.           documents included the assertions that         managers have\ndecided to report in the Agency\xe2\x80\x99s fiscal year 1998 Accountability Report, which will be\nissued on or before April 30, 1999.\n\nWe also reviewed a comprehensive external analysis dated February 2, 1998 of NMS\nconducted, at           request, by the Federal Systems Integration and Management Center,\na component of the General Services Administration. To assess progress meeting accounting\nand system requirements, we compared the extent of compliance at the end of fiscal year\n1998 to the extent of compliance at the end of fiscal year 1997.\n\nTo evaluate the adequacy of           efforts to correct financial management deficiencies,\nwe reviewed            December 1998 financial management status report, which described\n         remediation plan. We also reviewed other planning-related documents,\n\xe2\x80\x9cChief Financial Officer Strategic Plan Fiscal Years              minutes from NMS\nExecutive Team and Demand Management Integrated Product Team meetings, and Financial\nManagement System and Managerial Cost Accounting project documents. We also\ninterviewed responsible         and contractor officials.\n\x0c     APPENDIX II\n\n     Page 1 of 6\n\n\n\n\n\n--\n\x0c     APPENDIX II\n\n\n\n\n\n--\n\x0c                                                                  APPENDIX II\n\n\n\n\n      acquisition       phases of the\n\n\n\n\n                 No.   Complete a modular                  tbat\nbetween financial and mixed systems, takes       of         in\n\n\n\n mmmadarion No.      Develop   investment analysis and detailed    for\n\x0c                                                                                               APPENDIX II\n\n\n\n\n                                       plans                    to\n             and evaluation.\n\n                            RequirctheCFOto updaM~prtlimioaryrrmedirtionplrn\n            the            of the\nof\n\n\n\n\n                  * . .\n         AID~aRo~~l4-1Q\n\n\n              team to lead,the                 analysis                                          did\n\n\n\n\nlead of a              program                 will support           of            acquisitb turn\n                                                                a          acquisition\n\n\ncontractor.\n\n\n\n\n aquisitioa planning in which a                                   is essential. We do agree that\n establishing a team early              in the acquisitioa Me-cycle to          develop a modular\n\n\n\n\n     Based on       discussion above, we                  \xe2\x80\x9d nzviscd                3:\n\n                                we                   the Chief Mxmation c?fiku work\n with the Chief                Officer and the           Administrator for Management to establish\n\x0c     APPENDIX II\n\n\n\n\n\n-_\n\x0cAPPENDIX II\n\n\x0c                                                                                           APPENDIX III\n\n                                                                                            Page 1 of 17\n\n\n\n\n           Extent to Which          Financial Management Systems\n\n               Substantially Comply With        Requirements\n\n\n\n\nThe purposes of this appendix are to (1) document the extent to which financial management\nsystem deficiencies have been corrected, (2) describe the nature and importance of the\nrequirements for an effective federal financial management system as outlined in Section 7 of\nOffice of Management and Budget Circular No. A-127, and (3) summarize the impact on\nagency operations from not meeting the requirements. This Appendix updates information\ncontained in a previously issued report that provided a baseline against which progress in\ncorrecting the system deficiencies could be\n\nSummary of Results\n\n        managers have committed to follow disciplined practices to modernize\nsystems and have taken several steps to do so. However, because significant improvements\nare not achievable until existing systems are replaced or modernized-an effort that is not\nscheduled to be completed until 2001USAID has made only limited progress improving its\nsystems during the past year. As a result, during fiscal year 1998,            financial\nmanagement systems do not yet comply substantially with (1) federal financial management\nsystem requirements, (2) applicable federal accounting standards, and (3) the requirement to\npost transactions to the United States Standard General Ledger at the transaction level, as\nrequired by Section 803 (a) of the Federal Financial Management Improvement Act of 1996\n(FFMIA). Due to these system deficiencies,             managers do not always receive the\ncomplete, reliable, timely, and consistent information they need to reliably report financial or\nperformance results or efficiently manage agency operations.              management has\ndecided to report this condition in its fiscal year 1998 Accountability Report and is taking\naction to implement a financial management system that complies with these requirements.\n\nRequirements for Financial\nManagement\n\nFinancial management system requirements are designed to enable agencies to provide\ncomplete, reliable, timely, and consistent information to decision makers and the public.\nAgencies, including Treasury and OMB, need this information to (1) carry out their fiduciary\nresponsibilities; (2) deter fraud, waste, and abuse; (3) facilitate efficient and effective delivery\n\n           Audit of the Extent to Which       Financial Management System Meets               Identified in the\nFederal Financial Management Improvement Act of 1996, Audit Report No. A-000-98-003-P dated March 2, 1998.\n\x0c                                                                               APPENDIX III\n                                                                                Page 2 of 17\n\n\nof programs; and (4) hold agency managers accountable for the way government programs are\nmanaged. The Congress needs this information to oversee government operations, and the\npublic, to exercise their citizenship responsibilities. Thus, a key objective of financial\nmanagement systems is to ensure that reliable financial and program performance data are\nobtained, maintained, and reported. Federal policy is to establish government-wide financial\nmanagement systems and compatible agency systems to accomplish these objectives.\n\nThe three system requirements identified in the FFMIA-federal requirements for financial\nmanagement systems, applicable accounting standards, and the SGL at the transaction\nlevel-are detailed in          Circular No. A-127, Financial Management Systems. Section 7\nof this Circular identifies 12 categories of requirements that a financial management system\nshould meet to operate effectively. - Other policy documents further detail these requirements,\nincluding Office of Management and Budget\xe2\x80\x99s Circulars No. A-130, Management of Federal\nInformation Resources, No. A-134, Financial Accounting Principles and Standards, No. A- 11,\nPreparation and Submission of Budget Estimates, and No. A-34, Instructions on Budget\nExecution; and the Treasury Department\xe2\x80\x99s Treasury Financial Manual. In particular, the Joint\nFinancial Management Improvement Program (JFMIP) has published several documents\ndescribing detailed functional requirements that systems should possess to perform effectively.\n\nFor purposes of this report and in order to better describe the interrelationships among the 12\nrequirements contained in OMB Circular A-127, we grouped the requirements into four\ncategories as shown in the following table.\n\x0c                                                                                                                                                                                                                                                                                                               APPENDIX III\n\n                                                                                                                                                                                                                                                                                                                Page 3 of 17\n\n\n                                                     ._. . ,. .,._                                  ........ ..   .,C.....,... ..,.. .,...   ... ... .....   ..   ..,.. \xe2\x80\x98...\xe2\x80\x98.\xe2\x80\x98.\xe2\x80\x98.\xe2\x80\x98.\xe2\x80\x98,\xe2\x80\x98.\xe2\x80\x98.\xe2\x80\x98.\xe2\x80\x98.~...~:.:.~:.:.~:.:.~:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.~~:.:.:.:.:.:.:.:.~:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.~\n\n\n\n\n        :rrii,iiri~,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n                 ,:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:,:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.~.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:. .:.:. .:. ,.:. :.:\n                                                                                                                                             Requirements\n        Accounting                                                       \xef\xbf\xbd        Classification structure\n                                                                         \xef\xbf\xbd        Integrated system\n                                                                          \xef\xbf\xbd       Application of U.S. Government Standard\n                                                                                    General Ledger at the transaction level\n                                                                          \xef\xbf\xbd       Federal Accounting Standards\n                                                                          \xef\xbf\xbd       Functional requirements (i.e., JFMIP)\n        Reporting                                                         \xef\xbf\xbd        Financial reporting (including performance\n                                                                                     measures)\n                                                                          \xef\xbf\xbd        Budget reporting\n        Controls                                                          \xef\xbf\xbd        Internal controls\n                                                                          \xef\xbf\xbd        Computer Security Act requirements\n        Operations                                                        \xef\xbf\xbd        Documentation\n                                                                          \xef\xbf\xbd        Training and user support\n                                                                          \xef\xbf\xbd        Maintenance\n\n\n\n                   Management Systems Do Not\nYet Substantially Comply With FFMIA Reauirements\n\nTo          the deficiencies in its financial management systems          began planning in\nfiscal year 1998 to develop an integrated financial management system which would\nsubstantially comply with all federal accounting and system requirements. In March 1998\n         issued a General Notice stating the Agency\xe2\x80\x99s commitment to implement an effective\nintegrated financial management system. Current             estimates call for the new system to\nbe fully operational in 2001.\n\nHowever, during fiscal year 1998, our audits as well as         management assessments\nconfirmed the continuing existence of financial management system deficiencies that we\nreported during fiscal year        In large part because the recently deployed New\n\n\n            Audit of the Worldwide Deployment of the New Management System               Audit Report No. A-000-97\xc2\xad\n004-P, March             Audit of         Efforts to Resolve the Year 2000 Problem Audit Report No. A-000-97-005\xc2\xad\nP, July         mpliance\n               Audit   of with Co Federal Computer Security Requirements, Audit Report No.\n97-008-P, September           Audit of the Internal Controls for the Onerational New Management System Audit Report\nNo. A-000-97-009-P, September             and Audit of the Status of           New Management System          Audit\n\x0c                                                                              APPENDIX III\n                                                                               Page 4 of 17\n\nManagement System (NMS) has not operated effectively,              has had to rely on a\ncombination of outmoded legacy systems, informal and unofficial records maintained by\nindividual managers or organizational units, and NMS which suffers from technical and\noperational problems. As a result, during fiscal year 1998,           financial management\nsystems did not substantially comply with 11 of the 12 characteristics listed in Section 7 of\nthe Office of Management and Budget\xe2\x80\x99s Circular No. A-127. The following table shows that\n        did comply with the requirement to provide adequate training to system users, which\nwas an improvement over last year\xe2\x80\x99s results. Our analysis shows that            scheduled\nregular training for NMS users, most of whom have been trained.\n\n\n\n\nReport No. A-000-97-010-P, September 30, 1997.\n\x0c                                                                                                 APPENDIX III\n\n                                                                                                  Page 5 of 17\n\n\n\n                         Substantial Compliance With Federal System Requirements\n\n                                      1998\n                                             Does Not\nRequirement                Complies           Comply\n                                                        Indicators of the Status of Compliance\nnformation                                     X                relies on legacy systems, informal records, and NMS.\n                                                        Because they lack standard data definitions or formats,\n                                                        lacks an agency-wide classification structure.\nIntegrated System                              X        Because        relies on multiple incompatible systems that\n                                                        cannot exchange data, it does not have an integrated system.\n      States Standard                                   Several major categories of transactions are not supported by the\n       Ledger at the                           X        U.S. Standard General Ledger at the transaction level.\n           Level\n             Federal                           X               does not have a managerial cost accounting system.\n             Standards\n         Reporting                             X              has decided to report financial reporting as a material\n                                                        weakness in its FY 1998 Accountability Report\nBudget Reporting                               X        The Budget system does not link budget data compiled by strategic\n                                                        objective with data compiled by object code.\n\n\nFunctional                                     X        In two fiscal year audit reports, we identified important JFMIP\nRequirements [JFMIP]                                    requirements that had not been met.\n\nComputer Security                              X              has decided to report computer security as material\nAct                                                     weakness in its FY 1998 Accountability Report\n\nDocumentation                                  X                has decided to report the lack of financial management\n                                                        policies as a material weakness in its FY 1998 Accountability\n                                                        Report.\n\nInternal Controls                               X       We reported in September 1997, that the NMS did not have a\n                                                        system of internal controls that met federal        standards.\n                                                        These deficiencies have not yet been corrected.\nTraining and User              X                              established a regular NMS training program in 1998.\nsupport                                                 Most NMS users have received adequate training.\nMaintenance                                     X       NMS is difficult to maintain because numerous design and\n                                                        software deficiencies exist.\n\x0c                                                                                APPENDIX III\n                                                                                 Page 6 of 17\n\n\nThe following sections summarize areas of noncompliance reported by OIG audits and\n       management assessments.\n\nAccounting\n\nIn fiscal year 1998,             net outlays totaled about $7.8 billion. In order for the\nPresident, the Congress, and the public to have confidence that             is properly managing\noperations and reliably reporting results, the financial management system needs to\nincorporate federal accounting requirements. These requirements include an agency-wide\nclassification structure, an integrated system, implementation of the SGL at the transaction\nlevel, applicable accounting standards, and JFMIP functional requirements.\n\n       Classification Structure\n\nFederal financial management systems should collect, store, and retrieve financial data based\non a standard agency-wide financial information classification structure. A standard structure\nrequires that common data definitions and formats be used throughout the agency to\naccumulate financial and financially related information. The structure needs to support\nstandard reporting requirements, allow consistent tracking of program expenditures, and cover\nfinancial and financially related information. A common classification structure minimizes\ndata redundancy, ensures that consistent information is collected for similar transactions,\nencourages consistent formats for data entry, and ensures that consistent information is readily\navailable and provided to managers at all levels. The classification structure needs to cover\ninformation needs for budget formulation, budget execution, programmatic, financial\nmanagement, performance measurement, and financial statement and other reporting\nrequirements.\n\n          financial management system, however, does not contain a consistent or complete\nclassification structure.         currently relies on a combination of legacy systems, informal\n\xe2\x80\x9ccuff\xe2\x80\x99 records, and NMS. Because these systems do not contain standard data definitions or\nformats,          lacks a consistent agency-wide classification structure. In addition, the NMS\ndoes not include a complete classification structure. Although the new system was intended\nto maintain a common classification structure,            did not accomplish this goal. To be\ncomplete, a classification structure requires accounting events to be associated in several\ndifferent ways in order to accumulate financial information for various purposes. For\nexample, financial information needs to be reported by organizational unit, funding source,\nand program or project. NMS, however, does not incorporate a project classification\nstructure, which limits the systems\xe2\x80\x99 ability to accumulate financial information related to\nindividual initiatives. Further,         did not provide adequate guidance to users to define\nhow financial activities should be classified.\n\x0c                                                                                APPENDIX III\n                                                                                 Page 7 of 17\n\n\nUnstructured classification of financial information contributes to increased data duplication,\ninconsistent information, the inability to support the agency\xe2\x80\x99s budget formulation and\nexecution functions, inaccurate performance measurement information, and difficulties\npreparing reliable financial statements.\n\n       Integrated Systems\n\nFederal policy calls for each agency to implement an integrated financial management system.\nAn integrated system does not mean a single all encompassing computer system that performs\nall financial functions. Instead, integrated means a unified set of systems that are planned,\nmanaged, and operated in an integrated manner, and linked electronically to carry out the\nagency\xe2\x80\x99s mission and support               management needs. To be considered integrated, the\nsystem should use (1) a common classification structure (discussed above), (2) common\ntransaction processing, (3) consistent internal controls, and (4) efficient transaction entry. An\nintegrated system is important because it provides effective and efficient interrelationships\nbetween the software, hardware, personnel, procedures, controls, and data. For example, in an\nintegrated system, data supporting an accounting event would normally be entered into the\nsystem once and then transferred electronically to update all accounts as required. This\nfeature reduces data entry costs and the likelihood of errors from duplicate data entry.\n\n          financial management system, however, is not integrated.          currently relies\non numerous incompatible formal and informal financial systems that are unable to share\ndata. Among other problems, the lack of an integrated system compromises controls over the\nfunds availability function, increasing the risk that      may over-commit, over-obligate,\nor over-expend funds, resulting in Anti-Deficiency Act Violations. Also, lack of integration\ncould result in reporting discrepancies between the amount of funds available, committed,\nobligated, or expended.\n\n       U.S. Government Standard General Ledger\n\nThe SGL establishes a standard set of accounts for financial reporting throughout the federal\ngovernment. Agency financial management systems should record financial events following\nthe requirements of the SGL at the transaction level. In order to ensure that government-wide\nfinancial information is consistent and reliable, agencies need to process transactions\nfollowing the definitions and defined uses of the accounts described in SGL. Compliance\nwith this standard requires that (1) data in financial reports be consistent with the SGL, (2)\nindividual transactions be recorded consistent with SGL rules, and (3) supporting transaction\ndetails for SGL accounts be readily available. Following the SGL enhances financial control\nand supports consistent internal and external reporting for the agency and the federal\ngovernment.\n\x0c                                                                                    APPENDIX III\n                                                                                     Page 8 of 17\n\n\n         financial management system does not implement the SGL at the transaction level.\nThe lack of an integrated system causes heavy reliance on manual compilations of summary\ndata from formal and informal systems to generate financial statements, rather than relying on\nsystems to account for events in SGL formats.\n\nFor example,           does not record Accounts Receivables in accordance with the SGL.\n\nInstead,        relies on data          to obtain the total amounts of outstanding Accounts\n\nReceivable. These data calls were posted to the General Ledger at the summary level as\n\nopposed to at the transaction level. By using data calls to determine outstanding Accounts\nReceivable,          is at risk that the information obtained is not complete. For instance,\n          summarization of the data calls improperly omitted the Office of Procurement\xe2\x80\x99s\noutstanding Accounts Receivables.\n\n        Federal Accounting Standards\n\n Accounting standards provide rules for reporting financial information in financial statements.\n Federal Accounting Standards ensure that financial reports contain understandable, relevant,\n and reliable information about the financial position, activities, and results of operations for\n each agency and the U.S. Government as a whole. Generally, the federal government\n\xe2\x80\x98operates on an accrual basis of accounting. The federal government also has some unique\n accounting requirements. To standardize financial statement accounting practices, the Federal\n Accounting Standard Advisory Board                develops and recommends adoption of federal\n accounting standards, which are issued by the Director of OMB. Agencies need to\n incorporate these standards into their financial management systems to permit reporting in\n accordance with applicable accounting standards and other reporting requirements. When no\n accounting standard has been issued, agency systems can maintain and report data based on\n applicable accounting standards used by the agency for preparing its financial statements.\n\nCurrently, the FASAB has issued two accounting concepts covering (1) the objectives of\nfederal financial reporting, and (2) entity and display. The concepts are:\n\n        financial reporting focuses on the uses, user needs, and objectives of financial\n\n        reporting by the federal government, and\n\n\n\xef\xbf\xbd       entity and display describes the basis for defining government organizations\n\n        that should prepare financial statements.\n\n\n\n\n\n                call is a term used to   the process of requesting various offices to compile and report\noutstanding balances as of year end.\n\x0c                                                                                   APPENDIX III\n                                                                                    Page 9 of 17\n\n\nIn addition, eight accounting standards were effective for fiscal year 1998, covering\naccounting requirements for:\n\n\xef\xbf\xbd   selected assets and liabilities           \xef\xbf\xbd   managerial cost accounting\n\n\xef\xbf\xbd   direct loans and loan guarantees              property, plant, and equipment\n\n\xef\xbf\xbd   inventory and related property            \xef\xbf\xbd   revenue and other financing sources\n\n    liabilities of the federal government     \xef\xbf\xbd   supplementary stewardship reporting\n\n        has reported that neither NMS, nor the legacy systems, comply substantially with\napplicable federal accounting standards. Noncompliance with Federal Accounting Standards\nlimits          ability to provide financial reports with understandable, relevant, and reliable\ninformation about the financial position, activities, and results of operations.\n\nFor example, the lack of a managerial cost accounting system limits              ability to\nmeasure the cost of its operations and results. This standard requires federal agencies to be\nable to provide reliable and timely information on the full cost of federal programs, their\nactivities, and outputs (by responsible segments). The cost assignments should be performed\nusing the following methods listed in the order of preference: (a) directly tracing costs\nwherever feasible and economically practicable, (b) assigning costs on a cause-and-effect\nbasis, or (c) allocating costs on a reasonable and consistent basis. Cost information developed\nfor different purposes should be drawn from a common data source, and output reports should\nbe reconcilable to each other. Because           does not have a cost accounting system that\nmeets these requirements, it is not able to segregate its costs. As a result,         has not\nimplemented Statement of Federal Financial Accounting Standards No. 4 and did not comply\nwith the following five fundamental elements of managerial cost accounting:\n\n          Requirement for cost accounting, - Each reporting entity should accumulate and report\n          the costs of its activities on a regular basis for management information purposes;\n     \xef\xbf\xbd                   segments - Management of each reporting entity should define and\n          establish responsibility segments;\n     \xef\xbf\xbd\n          Full cost - Reporting entities should report the full costs of outputs in general purpose\n          financial reports;\n     \xef\xbf\xbd               costs - Each entity\xe2\x80\x99s full cost should incorporate the full cost of goods\n          and services that it receives from other entities, and\n\x0c                                                                                              APPENDIX III\n                                                                                              Page 10 of 17\n\n    0\n         Costing methodology - Cost of resources consumed by responsibility segments should\n         be accumulated by type of resource.\n\nIn addition,        has not implemented an effective accrual methodology that complies with\nthe standard for assets and liabilities.          accrual methodology does not properly\nrecognize its current liability and establish accounts payable for unpaid goods. Further,\n        does not have a methodology to reduce its advances and recognize expenses when\ngoods or services were received, contract terms were met, progress was made under contract\nor when prepaid expenses expired. Instead,            establishes estimates for Accounts\nPayable and related expenses based solely on unliquidation obligations balances. No\nadditional information is requested or obtained to determine whether the goods or services\nwere actually received.\n\n\n    Functional Requirements\n\nFunctional requirements for financial management systems are defined in a series of\npublications issued by the Joint Financial Management Improvement Program (JFMIP).\nThese requirements describe in detail the functions each system must perform to meet\nfinancial management system requirements. The Framework for Federal Financial\nManagement             published in 1995, describes the requirements for developing an\nintegrated financial management system. Core Financial Svstem Requirements, originally\npublished in 1988 and subsequently revised, describe detailed requirements for core\naccounting               These functional requirements help ensure that financial management\nsystems actually contain the features necessary to meet federal accounting and reporting\nrequirements. OMB Circular No. A- 127 calls for core accounting systems to be tested to\nensure that they meet the JFMIP core requirements.\n\nOther JFMIP requirements documents include:\n\n\xef\xbf\xbd   Personnel/Payroll System Requirements, May 1990\n\n\xef\xbf\xbd   Travel System Requirements, January 1991\n\n\xef\xbf\xbd   Seized/Forfeited Asset System Requirements, March 1993\n\n\xef\xbf\xbd   Direct Loan System Requirements, December 1993\n\n\xef\xbf\xbd   Guaranteed Loan System Requirements, December 1993\n\n          These include (1) core financial system management, (2) general ledger management, (3) funds management,\n(4) payment management, (5) receipt management, (6) cost management, and (7) reporting.\n\x0c                                                                                APPENDIX III\n                                                                                Page 11 of 17\n\n\n\xef\xbf\xbd   Inventory System Requirements, June 1995\n\n    Managerial Cost Accounting, June 1998\n\n        has decided to report in its fiscal year 1998 Accountability Report that NMS does not\nsubstantially comply with federal financial management system requirements. In addition, a\nU&AID-contracted study performed by IBM and titled \xe2\x80\x9cAnalysis of Alternatives with Regard\nto the         New Management System\xe2\x80\x9d dated February 2, 1998, stated that                 core\nfinancial system does not meet JFMIP requirements to support the Prompt Payment Act, does\nnot support            external reporting needs, and does not ensure that costs are accumulated\nand reported with proper matching of periods, segments, and outputs. By not meeting these\nfunctional requirements,           is operating a system that does not perform key functions\nrequired of federal financial management systems.\n\nReporting\nReporting involves summarizing reliable information on financial, performance, and budget\nmatters and making that information readily available to users inside and outside the agency.\nIn enacting the FFMIA into law, the Congress found that the accountability and credibility of\nthe federal government must be rebuilt and public confidence in it must be restored. In short,\nagencies and managers must be able to provide information that is essential to monitor\nbudgets, operations, financial results, and program\n\nA key purpose of federal financial management systems is to report financial, performance,\nand budget information, so that agency programs and activities can be considered and\nevaluated based on their full costs and merit. Agency management, the President, the\nCongress, and citizens need access to complete, reliable, timely, and consistent information\ngenerated from agency financial management systems.\n\nFederal laws and executive branch policies require agencies to develop and maintain\nintegrated systems for reporting program results and related funding. Examples of these laws\nand regulations include:\n\n\xef\xbf\xbd        Office of Management and Budget Circular No. A-127 (Revised), Financial\n         Management Systems, states               agency shall establish and maintain a single,\n         integrated financial management system.. and] the agency financial management\n         system shall be able to provide financial information in a timely and useful fashion.\xe2\x80\x9d\n\n\xef\xbf\xbd        The Chief Financial Officers Act of 1990 (section          [D] [iv]) states: \xe2\x80\x9cAn\n         agency CFO shall develop and maintain an integrated agency accounting and financial\n         management system which provides for the systematic measurement of performance.\xe2\x80\x9d\n\x0c                                                                                  APPENDIX III\n                                                                                  Page 12 of 17\n\n\xef\xbf\xbd      Office of Management and Budget Bulletin No. 93-02 states: \xe2\x80\x9cWhenever possible\n       \xe2\x80\x98financial data should be related to other measures of              on a\n       program basis. The inclusion of performance measures         facilitate using the\n       financial statement to assess both financial and program performance.\xe2\x80\x9d\n\n        has not yet met the above requirements.           plans, in its fiscal year 1998\nAccountability Report, to state that the system does not meet some important financial\nmanagement system requirements, such as being capable of producing all required financial\nreports and other management information at an acceptable level of timeliness and accuracy.\n\n        has not developed and maintained an integrated system for reporting program results\nand related funding and is currently unable to meet many of its reporting requirements. In\nour September 1998 report on \xe2\x80\x9cThe Process            Used To Prepare Its Fiscal Year 1997\nFinancial Statements from the General Ledger,\xe2\x80\x9d we found            must manually prepare its\nfinancial statements because its financial management systems were not integrated and could\nnot prepare the statements electronically. Because of the reporting deficiencies:\n\n\xef\xbf\xbd      Managers are unable to reliably accumulate prior or projected program or project costs\n       due to the lack of a required managerial cost accounting component.\n\n\xef\xbf\xbd      Unreliable or incomplete financial data is being reported to managers and to external\n       parties, including OMB, Congress, and the public. To illustrate,         submitted\n       financial information to OMB and to the U.S. Treasury that is materially inconsistent\n       with its general ledger. This occurred in reporting the         cash balance to\n       Treasury and budgetary information to OMB.\n\nThe lack of an effective integrated financial management system inhibits                ability to\nrelate (1) obligations and expenditures to            overall strategic goals and objectives, and\nin support of each operating unit\xe2\x80\x99s strategic objective and intermediate results; and (2)\nprogram results to budget components included in its financial statements. This in turn\nimpairs            ability to manage for results and to report results in relation to funding.\n\nControls\nManagement controls are the organization, policies, and procedures used by agencies to\nreasonably ensure that (1) programs achieve their intended results; (2) resources are used\nconsistent with agency mission; (3) programs and resources are protected from waste, fraud,\nand mismanagement; (4) laws and regulations are followed; and (5) reliable and timely\ninformation is obtained, maintained, reported, and used for decision making. Federal\nrequirements call for adequate internal and computer security controls, which should be\nessential elements in the design and operation of financial management systems.\n\x0c                                                                               APPENDIX III\n                                                                               Page 13 of 17\n\n\n       Internal Controls\n\nA subset of management controls are the internal controls used to assure that there is\nprevention or timely detection of unauthorized acquisition, use, or disposition of assets. Laws\ndealing with internal controls include the (1) Accounting and Auditing Act of 1950 which\nestablished requirements for an effective internal control system, and (2) Federal Managers\xe2\x80\x99\nFinancial Integrity Act of 1982 which reinforced the need for effective internal controls.\n\nFederal financial management system requirements for internal controls call for the system to\ninclude internal controls that ensure resources use is consistent with laws, regulations, and\npolicies; resources are safeguarded against waste, loss, and misuse; and reliable data are\nobtained, maintained, and disclosed in reports. GAO has established guidance for internal\ncontrols in their publication Standards for Internal Controls in The Federal Government. The\nfollowing table         the areas addressed by the GAO general and specific standards for\ninternal controls in the federal government.\n\x0c                                                                                                                                                                                                                                                                                                               APPENDIX\n                                                                                                                                                                                                                                                                                                               Page 14 of 17\n\n\n\n\n\n                                                                                                                                                                            . . .. . . ... . . . ..       . . .. ..            ..\n\n\n                                                                   ........            ........ ....               ....            ......                                                .C.... .,._....._..._.. . . . . . . . . . . . . . .._.,._..\n                                                                      .. ..   .... ........ .... ....              ...      ........                     ,..C. ..,C . . . . . .        .... .... ...                     ..\n\n                                       . . .. ... ..     ... . .              . . . ...C .,..C.         ._. .._._          .. ... . ....._....._... ..        ..          .. .. . . . . . . . . . . ... . . ...                                        ..,..., ..,.....,\n.....   . . . . . . . . . . . . . .._... _.,....L.....                               ...                  ... ..........                  ... .. .......... ......... ...\n                                                                                         .._L.,...                                                                 ..,...,.,..C._.......i....,.,.,.                              ....           ...\n\n\n\n\n General Standards                                                                                                                                                                                                                                                         Specific Standards\n 1. Reasonable Assurance                                                                                                                                                                                                                                                   1. Documentation\n                                Internal control systems are to provide                                                                                                                                                                                                         Internal control systems and all transactions and other\n                                reasonable assurance that the objectives of the                                                                                                                                                                                                 significant events are to be clearly documented, and the\n                                system will be accomplished.                                                                                                                                                                                                                    documentation is to be readily available for examination.\n2. Supportive Attitude                                                                                                                                                                                                                                                     2.   Recording of Transactions and Events\n                                Managers and employees are to maintain and                                                                                                                                                                                                      Transactions and other significant events are to be\n                                demonstrate a positive and supportive attitude                                                                                                                                                                                                  promptly recorded and properly classified.\n                                toward internal controls at all times.\n3. Competent Personnel                                                                                                                                                                                                                                                     3.   Execution of Transactions and Events\n                                 Managers and employees are to have personal                                                                                                                                                                                                    Transactions and other significant events are to be\n                                 and professional integrity and are to maintain a                                                                                                                                                                                               authorized and executed only by persons acting within the\n                                 level of competence that allows them to                                                                                                                                                                                                        scope of their authority.\n                                 accomplish their assigned duties, as well as\n                                 understand the importance of developing and\n                                 implementing good internal controls.\n\n 4. Control Objectives                                                                                                                                                                                                                                                     4. Separation of Duties\n                                  Internal control objectives are to be identified or                                                                                                                                                                                           Key duties and responsibilities in authorizing, processing,\n                                  developed for each agency activity and are to be                                                                                                                                                                                              recording, and reviewing transactions should be separated\n                                  logical, applicable, and reasonably complete.                                                                                                                                                                                                 among individuals.\n\n  5. Control Techniques                                                                                                                                                                                                                                                    5. Supervision\n                                  Internal control techniques are to be effective                                                                                                                                                                                               Qualified and continuous supervision is to be provided to\n                                  and efficient in accomplishing their internal                                                                                                                                                                                                 ensure that internal control objectives are achieved.\n                                  control objectives.\n\n                                                                                                                                                                                                                                                                           6.   Access to and Accountability for Resources\n                                                                                                                                                                                                                                                                                Access to resources and records is to be limited to\n                                                                                                                                                                                                                                                                                authorized individuals, and accountability for the custody\n                                                                                                                                                                                                                                                                                and use of resources is to be assigned and maintained.\n                                                                                                                                                                                                                                                                                Periodic comparison shall be made of the resources with\n                                                                                                                                                                                                                                                                                the recorded accountability to determine whether the two\n                                                                                                                                                                                                                                                                                agree. The frequency of the comparison shall be a\n                                                                                                                                                                                                                                                                                function of the vulnerability of the asset.\n\x0c                                                                                 APPENDIX III\n                                                                                 Page 15 of 17\n\n\n          financial management system does not include a system of internal controls that\nmeets GAO\xe2\x80\x99s standards for internal control. In September             we reported that the\ndoes not include a system of internal controls that meets GAO\xe2\x80\x99s Standards for Internal\nControls in the Federal Government.           other things, internal control objectives were\nnot identified and internal control techniques were not documented. As a result,\nmanagers cannot reasonably ensure that the control techniques they have implemented are\neffective.         has made a management decision on an OIG recommendation to\ndocument, test, and implement a system of internal controls for NMS that comply with the\nGeneral Accounting Office\xe2\x80\x99s Standards for Internal Controls in the Federal Government.\nHowever, our continuing work and discussions with responsible financial management\nofficials confirm that        has not yet corrected the deficiencies.\n\nWithout adequate internal controls,          managers are unable to provide reasonable\nassurance that program goals and objectives are met; resources are adequately safeguarded;\nreliable data are obtained, maintained and reported; and activities comply with laws and\nregulations. Because of this situation,        faces significant risks and increased\nvulnerability, known and unknown, to\xe2\x80\x99 fraud, waste, and abuse; and compromise of sensitive,\nPrivacy Act-protected information as a result of relying on        to account for and provide\nmanagement information on the use of resources and program operations.\n\n    Computer Security\n\nComputer security requirements comprise a subset of an organization\xe2\x80\x99s overall internal\ncontrols. These particular controls are intended to protect the integrity of sensitive information\nwhich is stored in computer systems. However, computer security requirements are often\naddressed separately from other internal controls. This separation is due to the technical\ncomplexity involved in securing computers and the agency\xe2\x80\x99s increasing reliance on computers\nto store and process information.\n\nAmong the significant laws and guidelines requiring agencies to maintain an effective\ncomputer security program are the Computer Security Act of 1987 and OMB Circular No.\nA-130, Appendix III, \xe2\x80\x9cSecurity of Federal Automated Information Systems.\xe2\x80\x9d Specifically:\n\n\xef\xbf\xbd    the Computer Security Act requires federal agencies to protect information by: (1)\n\n     identifying sensitive systems, (2) developing and implementing security plans for\n\n     sensitive systems, and (3) establishing a training program to increase security\n\n     awareness and knowledge of accepted security practices.\n\n\n\n\n                                                                                      No. A-000-97\xc2\xad\n009-P September 30, 1997.\n\x0c                                                                                         APPENDIX III\n\n                                                                                         Page 16 of 17\n\n\n\n\xef\xbf\xbd   Appendix III of OMB Circular A-130, which implements the requirements of the\n    Computer Security Act, directs agencies to establish a security program and maintain\n    an adequate level of security for sensitive systems and information.\n\nThe increasing complexity of technology and the proliferation of computers have resulted in a\ngreater commitment of resources to computer operations and a wide range of computer\napplications.         makes extensive use of information technology in serving the public\nand managing resources while executing its programs. However, the increasing reliance on\ncomputers leaves         exposed to the risk of unauthorized modification of data; destruction\nof computer resources; disruption of operations; and compromise or loss of resources,\nincluding sensitive agency\n\nIn two companion reports, we reported that           had not implemented an effective security\nprogram that met me requirements of the Computer Security Act of 1987 or OMB Circular\nNo. A-130.\xe2\x80\x9d Specifically, we reported that             security controls, access controls, and\nchange controls were not effective. These security weaknesses expose             to\nunacceptable risks that resources will not be adequately protected from fraud or misuse and\nthat sensitive data and systems will not be adequately protected from loss or destruction.\n\nOperations\nMost computer system costs are incurred after the system becomes operational. Computer\nsystem operations include operating the system, responding to user questions and correcting\xe2\x80\x99\nroutine defects, enhancing system capabilities to meet new requirements, and eventually,\nretiring the system. The FFMIA defines financial management systems to include not only\nthe hardware and software needed to support financial management, but also the automated\nand manual processes, procedures, controls, data, and support personnel dedicated to the\noperation and maintenance of system functions. Federal requirements call for adequate\ndocumentation, training, and maintenance practices, which are important to ensure that the\nsystem continues to operate efficiently and effectively.\n\n     Documentation\n\nFederal financial management system requirements call for agencies to adequately document\nthe system/software structure and capabilities, processing instructions for operating personnel,\nand operating procedures and manuals for users. To be fully useful, documentation should be\nkept up-to-date and be readily available for examination and use. The documentation also\n\n\n        \xe2\x80\x9cAudit of General Controls Over           Mainframe Computer Environment (Report No. A-000-99-004-P,\nMarch 1, 1999) and Audit of General Controls Over         Client-Server Environment      No. A-000-99-005-P,\nMarch 1, 1999).\n\x0c                                                                              APPENDIX III\n                                                                              Page 17 of I7\n\n\nneeds to be sufficiently detailed to permit responsible personnel to understand the system and\n   operations. Up-to-date documentation is needed so that users will be able to understand\nhow to operate the system, technical personnel will be able to keep the system functioning\neffectively and efficiently, and system developers will be able to easily correct problems and\nimplement enhancements.\n\n        management recognizes that financial management system documentation is not\ncomplete or current.          has identified the lack of financial management procedures as a\nmaterial control deficiency in its Integrity Act reports since 1993.       also recognizes\nthat system and requirements documentation for NMS is not complete, is not up-to-date, and\ndoes not follow prescribed standards. These deficiencies have hindered efforts to support on\xc2\xad\ngoing system maintenance and operations.\n\n    Training and User Support.\n\nTraining is important to successful implementation and ongoing operation of a financial\nmanagement system. Without proper training, users of a system may erroneously enter data,\noperators may make errors that disrupt system operations, and developers may have difficulty\nimplementing new requirements. Federal financial management system requirements call for\nagencies to provide adequate training and appropriate support-based on the level of\nresponsibility and roles of individual      to enable the users of the system at all levels to\nunderstand, operate, and maintain the system efficiently and effectively. This requires\nimplementation of a comprehensive training program for system developers, computer\noperators, and users.\n\nDuring fiscal year 1998,        implemented a regular NMS training program. The program\nincluded monthly courses in budget, reporting, operations, and several other NMS areas.\n\n    Maintenance\n\nOn-going system maintenance needs to be performed to enable the system to continue\noperating effectively and efficiently. Agencies should periodically evaluate how well the\nsystem supports changing business practices and make appropriate modifications through its\nmaintenance program.\n\n          financial management systems, however, are difficult and expensive to maintain.\nMaintenance is difficult because (1) legacy systems are outdated, (2) informal locally\ndeveloped systems that are not well documented, and (3) NMS suffers from design\ndeficiencies, software defects, and documentation gaps.\n\x0c'